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1. Background 


One of the ehallenges for the U.S. National Arehives and Reeords Administration (NARA) is to 
provide essential information assuranee (lA) serviees for sensitive eleetronie reeords arehives 
(ERA) in transit between networked eomputer systems. Current software teehnologies for 
seeuring data in transit rely on eryptographie algorithms and protoeols provided in IP Seeurity 
(IPSee), Virtual Private Network (VPN), or Seeure Shell (ssh). 

The general diffieulties of using IPSee and VPN are the eomplexity and eompatibility. IPSee has 
been evolved and updated with new standards sinee 1995 (with RFC 1825-1829) to 2005 (with 
RFC 4301-4309). VPN are generally designed and built based on proprietary algorithms. 
Usually, they should be aequired, installed, and operated from the same manufaeturer. 

Therefore, typieally, IPSee and VPN are implemented and operated at network routers by 
network administrator to provide seeurity for network traffie between loeal area networks (LAN) 
rather than being used by end users at system level. For example, IPSee or VPN are used to 
eonneet internal LANs of different sites of an organization through a publie network sueh as the 
Internet. But with this type of operation, there are no end-to-end eneryptions between any two 
networked eomputers in the same LAN or in different LANs. Henee, eommunieation traffie of 
two eomputers in a same LAN or eommunieation traffie from a loeal node to its router has no 
proteetion. 

The Seeure Shell teehnologies and its derivatives sueh as Seeure Copy (scp), Seeure Shell File 
System (sshfs) are designed to operate at the applieation level and to provide network seeurity 
for speeifie applieations. For example, ssh is for seeurely logging in or aeeessing remote 
eomputers; scp is for seeurely eopying fdes from remote eomputers; sshfs is for seeurely 
aeeessing remote file systems. The network seeurity offered by these software applieations does 
provide end-to-end eneryptions for eomputers, but they are designed speeifieally for eaeh 
partieular applieation. They are not designed to provide network seeurity for general purpose 
network applieations. However, there are some sueeesses in adjusting and tuning some 
applieation software and ssh to make applieation software to operate seeurely through ssh 
teehnologies. But it is eumbersome and diffieult to tune applieation software to obtain the 
desired seeurity, and sometimes the tuning limits the eapability of the applieation software. 
Moreover, it is required network seeurity skills (sueh as network administrator eapability) to 
properly eonfigure, tune, and operate ssh for other applieation software. 

In brief, seeurity teehnologies are available and developed to provide network traffie seeurity, 
but they require network seeurity administrator skills to use them properly, and they are designed 
and implemented for speeifio applieation or operated mainly at network gateway deviees. 
Therefore, for NARA to aehieve essential lA serviees for sensitive ERA in transit, the end-to-end 
eneryption and authentieation requirements should be implemented at the eomputer system level. 
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To meet NARA’s teehnical requirements for having end-to-end eneryption and authentication at 
the computer system level, Army Research Laboratory (ARL) developed a secure 
communication network middleware called “Secure Link” capable of providing essential lA 
services for accessing or transferring sensitive ERA between any two networked computers. 
This report documents the development of ARL Secure Link. 


2. ARL Secure Link Middleware 


ARL developed for NARA the Secure Link middleware based on the specified functional 
behavior and technical requirements documented in the ARL memorandum report entitled 
“Functional Requirements Assessment of Secure Link” (5). 

2,1 Design Architecture 

The ARL Secure Link was designed as daemon program (a program executed in the background) 
and performed three main functions: authentication, encryption, and encapsulation. Its functions 
are to secure network traffic of selected network applications between two computers that run the 
Secure Link middleware. The authentication and encryption were achieved by using OpenSSL 
library (7), open source software that has been certified by the National Institute of Standards 
and Technology (NIST). ARL developed the encapsulation function ARL to achieve one tunnel 
mechanism with one endpoint at one end but many endpoints at the end. The special tunneling 
allows encapsulation of network packets from different destinations coming from one endpoint 
but distributing many endpoints based on destination IP addresses. 

The network security provided by ARL Secure Link was achieved first relying on the Netfilter 
(2) (Linux security firewall software) to channel selected network traffic of application software 
to ARL Secure Link. After receiving network packets from selected application software, ARL 
Secure Link would perform a peer-to-peer (P2P) authentication with the specified destination 
host, based on the destination IP address of network packets, to mutually authenticate each other 
and generate a symmetric session key to be used for encryption function between two host 
computers running ARL Secure Link. Then, the application network traffic would be encrypted 
using the generated session key and passed to encapsulation process to tunnel the encrypted 
traffic to the destination. Upon receiving encapsulated traffic, the destination host would de¬ 
tunnel encapsulated traffic and decrypt ciphered traffic and then finally forward deciphered 
network traffic to application software. 

Figure 1 depicts the functional and operational diagram of Secure Fink relative to the application 
software, firewall, IP routing engine, and local area network of two networked computer 
systems. 
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Figure 1. Functional and operational diagram of Secure Link in two networked computers. 

2.2 Implementation Requirements 

As described above, the Secure Link middleware operates like a firewall, but its function is to 
secure certain desired network traffic by diverting them to a secure tunnel. The secure tunnel 
will be established on demand between two computer systems running Secure Link to channel 
selected network traffic between them. Two computers will mutually authenticate each other 
before establishing the secure tunnel, and cryptographic protocols will be used to encrypt 
network traffic to form the secure tunnel. 

To minimize costs and efforts, the implementation of the Secure Link relied on open source 
software, such as Linux Netfilter, OpenSSL library, VTun (5), and Universal TUN/TAP {4). As 
a result, the current implementation of the Secure Link supports only Linux-based systems, and 
secures only unicast network traffic using the Internet protocols (IP). The implementation of 
Secure Link requires a rebuild of a Linux kernel (especially Linux kernel 2.6.20 at the current 
development) to take advantage of additional features provided by Netfilter, such as ROUTE 
TARGET. The OpenSSE library is used for authentication using peer-to-peer method and 
encryption using AES (5) (Advanced Encryption Standard) and Blowfish (6) algorithm 
(Blowfish is a default algorithm). VTun and Universal TUN/TAP provide a framework to 
develop the Secure Eink middleware especially creating secure tunnels. 
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During the process of implementing the Secure Link, ARL successfully developed a method of 
generating public key infrastructure (PKI) for use with peer-to-peer method. The successful 
development of PKI certificates for peer-to-peer authentication (instead of the typical client-and- 
server authentication) provides more versatility in using the development of the special secure 
tunnel with one endpoint to many endpoints. The method for generating the peer-to-peer 
cryptographic certificates was based on the method and procedure for creating client-server 
certificates and developed by the same author (P). 

2,3 Operation Outline 

In order to properly use the current development version of the ARL Secure Link middleware for 
end-to-end encryption and authentication between Linux computer systems, the system 
administrators must first obtain peer-to-peer PKI certificates for each participating computer 
system using ARL developed software. Then, the system administrators of the systems, which 
are built with Linux kernel 2.6.20 and capable of redirecting selected network traffic by using 
iptables, should start the ARL Secure Link middleware as a Linux daemon called SLD. From 
this point, the system administrators can select any desired network traffic applications to be 
protected by using iptables commands to redirect selected network traffic (specified by transport 
port number of IP traffic, e.g., TCP port 80, UDP 43, or, ...) to SLD. Upon receiving any 
redirected network traffic, the SLD will authenticate destination hosts using P2P PKI certificates 
if the destination hosts are not verified before. If destination hosts are validated, the 
encryption/decryption and tunneling (encapsulation)/detunneling mechanism are used by SLD to 
securely send/receive selected network traffic. 

To facilitate the operation of the ARL Secure Link middleware on Linux systems, ARL 
developed a graphical method (7) for executing SLD and selecting or deselecting desired 
network traffic. The system administrator can choose to secure desired network traffic in one 
direction only, e.g., sending or receiving direction, by having one communicating system not 
route desired network traffic through SLD. Communicating systems can still communicate with 
any hosts without SLD, as long as network traffic destining to those hosts not routing through 
SLD. 

Figure 2 shows a demonstration setup using the ARL Secure Link middleware in a network 
environment (which simulates the Internet) of six LANs, five routers, and four communicating 
systems {cavalier, colonial, hokie, and patriot). Three communicating systems {cavalier, 
colonial, and patriot) have P2P certificates from the same PKI and run ARL Secure Link 
middleware as specified by the circled ‘sld’, @. Using a network traffic analyzer (e.g., 
tcpdump) at router bulldog and tiger, ARL verified and confirmed that desired network traffic, 
such as ping, nfs, and ssh application, among systems cavalier, colonial, and patriot were 
encrypted and encapsulated inside UDP packets. But, network traffic to/from hokie, which did 
not run SLD, was clearly detected and eavesdropped by the network traffic analyzer. 
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Secure Link can cause network applications to experience additional network latency due to the 
central processing unit (CPU) processing for encryption and routing, but the appreciably 
increased network latency depends on the processing power of the system CPU. The additional 
network latency is very typical for the operation of network security whether its operation is 
executed at the computer system level or at the router level. 
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Figure 2. A demonstration setup of using the ARL Secure Link middleware in an inter-network environment. 


3. Benefits 


As shown in the demonstration, the use and operation of the ARL Secure Link middleware is 
simple and easy. It provides authentication and end-to-end encryption services for NARA 
application in securing ERA information in transit. Networked computer systems executing 
SLD (Secure Link daemon) can securely communicate with each other by first authenticating 
each other and then encrypting their exchanged network traffic through the secure tunnel. This 
secure communication can be expanded to other network applications running in these computers 
as selected or configured by the system administrator. This allows network applications such as 
telnet (remote logging in a computer), ftp (transferring files), or nfs (remote accessing file 
systems) to be securely operated and used among networked computer systems without any 
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modification to the application software and their operations. The ARL Seeure Link middleware 
can operate independently and concurrently with other security application software (e.g., ssh, 
scp, or https) without any adjustments. 

By using the peer-to-peer authentieation, the ARL Secure Link provides more flexibility in 
authenticating computer systems using the same P2P PKI certifieates for various eommunicating 
seenarios such as client-to-server, client-to-client, server-to-server, client-to-many-clients, client- 
to-many-servers, or server-to-many-servers. 

The execution of the ARL Seeure Link middleware in a computer system ean lessen the use of 
individual security application software (e.g., ssh, scp, ssh fs, or Oracle with security options) 
without sacrifice network eommunication security. This reduced usage of extraneous security 
application software will free up computer resources such as CPU cycles, random aecess 
memory (RAM), and disk storage and reduee computer eosts such as software aequisition, 
installation, and maintenance (update and upgrade). Ultimately, the use of the ARL Seeure Link 
will reduee the time and effort required to monitor security, thereby inereasing system efficiency. 


4. Conclusion 


The U.S. Army Research Laboratory successfully developed the ARL Seeure Link middleware 
for the U.S. National Arehives and Reeords Administration in the effort to build a seeure 
distributed computing environment for proeessing sensitive electronic records archives (ERA). 

A demonstration setup of computer nodes conneeted through inter-networks also successfully 
verified the seeurity aspeets of the ARL Seeure Link, as defined in the Functional Requirements 
Assessment of Secure Link, ARL-MR-663. The development of Secure Link also yields a 
suceessful implementation of peer-to-peer authentication method and its PKI-eertifieate- 
generating method whieh have not been successfully implemented or publiely available based on 
Internet searehes. 
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